Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Empower security teams to easily report suspicious emails & content and receive instant feedback
Published Jul 12 2019 10:00 AM 40.4K Views
Microsoft

One of the frequent requests we hear from Office 365 customers is the ability for security teams to easily report suspicious email messages or content to Microsoft and get feedback. Today I’m super excited to announce that we’re rolling out this capability to customers world-wide. This builds on a powerful capability Office 365 already supports - the ability for end users to report suspicious emails to their security teams and Microsoft. With the feature set we’re announcing today, security teams that want to defer reporting issues to Microsoft until after they have reviewed the messages themselves can now do so. What’s more - security teams can get immediate feedback on these submissions within the Office 365 Security and Compliance Center, dramatically reducing the time to investigate and response to issues and take corrective actions.

 

One of Microsoft Threat Protection's most important elements is the ability to secure emails and collaboration services with Office 365 Advanced Threat Protection (ATP). Office 365 ATP's strength of signal offers comprehensive and best-in-class protection against sophisticated, targeted and zero-day phishing and malware attacks. To give you a sense of the scale that we deal with, in the course of 1 year in 2018, Office 365 ATP blocked 5 billion phish emails and analyzed 300k phish campaigns, protecting 4 million unique users from advanced threats. Analyzing such a huge amount of data helps continuously improve the machine learning algorithms, leading to the highest accuracy and effectiveness in the industry.

 

Phish email statistics from Office 365 from January 2018 to September 2018.Phish email statistics from Office 365 from January 2018 to September 2018.

The impact to end users in 2018 from the enhanced anti-phish capabilities in Office 365The impact to end users in 2018 from the enhanced anti-phish capabilities in Office 365

 

As proud as we are about the effectiveness offered by Office 365 ATP, we also know that no solution is 100% effective. For this reason, we also offer powerful feedback loops through which suspicious emails can be reported by end users to Microsoft to feed into the overall intelligence and continually improve the service to better protect customers.

 

End users can report suspicious messages they see in their inbox to Microsoft using the  Report Message plug-in in Outlook and Outlook Web Access. Organizations’ security teams can also review these user-reported messages in the Office 365 Security and Compliance Center to better understand the attacks users are seeing and update their security policies.

 

Real-time report showing all user-submitted emailsReal-time report showing all user-submitted emails

From the SecOps perspective, these submissions form an important source of intelligence and can trigger investigation and remediation workflows to significantly reduce the time to detect and respond to an attack and therefore limit the scope of impact of an attack within the organization.

 

The Report Message plug-in is therefore an invaluable tool for users to flag suspicious content to not only their security teams, but directly to Microsoft as well. But some organizations don’t want their users to submit emails directly to Microsoft, as they may contain sensitive information. They want these submissions to first be reviewed by their security teams before being submitted to Microsoft.

 

Today we’re excited to announce that the email submission experience will now be available to security teams and admins from the same place where they review user-reported messages within the Office 365 Security and Compliance Center.

 

With this new capability, admins can easily submit emails and content, provide more details, and receive immediate feedback. The feedback provided by Microsoft will also offers valuable insights into configurations that may have caused a false positive or a false negative, reducing the time to investigate issues and improving the overall effectiveness.

 

With this new submission process, admins can: 

  • Submit suspicious emails, files, and URLs to Microsoft for analysis
  • Receive immediate feedback on their submissions
  • Find and remove rules allowing malicious content into the tenant 
  • Find and remove rules blocking good content into the tenant 

Here’s a quick run through of the experience. You can also learn more about it in our technical docs.

 

Step 1 – Log in to the Security and Compliance Center or the M365 Admin Center as Global Admin, Security Admin, or Security Reader. Click on the ‘Submissions’ node under ‘Threat Management’. You will see all the end user reported messages here. Under the ‘User Reported’ tab. To create a new admin submission from the portal, click the ‘New Admin Submission’ on the top left.

 

details.png

 

Step 2 – Enter all the details related to the submission such as submission type, recipients, reason for submission and submit.

 

review.png

 

Step 3 – Review the status of your submission. You can see the progress of the submission after it is submitted. You can also drill down into specific submissions and see what was submitted, what it was submitted as, and reason for submission, as well as what verdict was issued.

 

sender.PNG

take action.jpg

 

Step 4 – Take actions to fix the suggested configuration.

 

This can be a great tool to manage false positives and help fix configurations issues that may result in EOP/Office 365 ATP not performing optimally. In the future we’ll not only present the config-related issues but also automatically fix them.

 

To whom is it available?

 

All Office 365 customers will be able to use this feature. However, customers using Office 365 ATP will benefit most from it. Customers using third-party reporting tools can also use this capability.

 

As you look to implement this solution, it’s important to know it provides valuable data for more than Office 365 ATP. Microsoft Threat Protection services in general can leverage it to fine tune the machine learning algorithms and better protect, detect, and respond to threats across different threat vectors. Get started with an MTP trial if you want to experience the comprehensive and integrated protection Microsoft Threat Protection provides. Learn more about Microsoft Threat Protection by following our monthly blog series.

15 Comments

It's great to finally be able to report messages via an UI tool! Any chance to make it accept anything other than .eml files for direct upload though? 

@Vasil Michev , I believe you can also submit attachments and URLs for direct uploads, what other options were you thinking of?

 

@Pragya Pandey Could we share some information/guidance on the "rescan result" tab, and expectations/result?


Iron Contributor

Thanks @Pragya Pandey. There's no mention above of how a security team opts out of automatic submission of end user reporting to Microsoft, and thus only has the ability to do admin submissions. Is the change above to be implemented for everyone by default? 

Copper Contributor
Hello. Is it possible to query for submissions through an API? Something like MessageID, From, To, Subject, Date. That would enable the security team to build integrations to monitor user submitted mails.
Copper Contributor

How can we disable the automatic reporting to Microsoft when end-user report message? We should be able to review it before the end-user reported messages reaches Microsoft.

This article might need an update when the "Security and Compliance" portal is split into "Security" and "compliance". Looking in a tenant now where it is split, and I cant find the submissions area.

Microsoft

@Michael Sampson and @Muhammad Imran, we don't have the ability to disable direct submissions from users in the current version. We'll be adding that in the next set of updates.

Brass Contributor

@Pragya Pandey 

May update the post and explain how to retrieve the "network message id" as it is not the same like the "message id" you will get from the message header analysis.

I could only manage to submit an admin report from within the quarantine. I selected a message and clicked "submit message" which automatically retrieves the "network message id" for me.

 

May this is helpful to others as well.

 

Best regards,

 

Markus

Steel Contributor

To Alisdair Douglas, here is how to get to the old screens ... From the Office Admin Center \ Compliance \ Policies (on left) \ Office 365 alert. 

 

I hope Microsoft starts showing the how-do-I-navigate-to, from the new Security and Compliance screens. 

Copper Contributor

Fazer e-mail no Outlook é entender da formatação válida de cada e-mail para quem remeter o envio. Precisa de ter um assunto de conteúdo válido as exigências do serviços de cada profissional, o enredo jus o assunto citado acima, e o finalizando com os subscrito informando os contatos com voce quer firmar as relações comerciais.

Subscrevo

Maria Aparecida da Silva

Administrar Gerenciar Global

ID 5082238

 

Copper Contributor
I'm trying to submit an outbound FP and I'm getting "The policy check assesses if this submission will be allowed or blocked by your policies. Process status Completed Additional information This is an outbound email which can not be submitted." I'm assuming this is only meant for incoming FP/FN?!
Copper Contributor

Admin Center on Global and Manager Administrator for segurity the Business protector reported, communicate reported messegens in the experience
services the Office 365 for server in the potencial the Enterprise.

Copper Contributor

Serviços Online precisa que os comunicadores estejam sempre com discernimento de linguagem, ou continuo devir com segurança mútuo e objetivo alvo do êxito.

Copper Contributor

Office 365 oferecem experiências de performance moveis, na prática recomendáveis conectados com Teams ao mesmo tempo em que você implanta os clientes Desktop em navegador Microsoft Edge. 

Version history
Last update:
‎May 11 2021 02:06 PM
Updated by: